Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 5.1

    MEDIUM
    CVE-2025-62297

    SOPlanning is vulnerable to Stored XSS in /projets endpoint. Malicious attacker with medium privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when opening edited page. This issue was fixed in version 1.55.... Read more

    Affected Products : soplanning
    • Published: Nov. 20, 2025
    • Modified: Nov. 21, 2025
    • Vuln Type: Cross-Site Scripting

  • 6.8

    MEDIUM
    CVE-2025-62346

    A Cross-Site Request Forgery (CSRF) vulnerability was identified in HCL Glovius Cloud. An attacker can force a user's web browser to execute an unwanted, malicious action on a trusted site where the user is authenticated, specifically on one endpoint.... Read more

    Affected Products :
    • Published: Nov. 20, 2025
    • Modified: Nov. 21, 2025
    • Vuln Type: Cross-Site Request Forgery

  • 5.1

    MEDIUM
    CVE-2025-62295

    SOPlanning is vulnerable to Stored XSS in /groupe_form endpoint. Malicious attacker with medium privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when opening editor. This issue was fixed in version 1.55.... Read more

    Affected Products : soplanning
    • Published: Nov. 20, 2025
    • Modified: Nov. 21, 2025
    • Vuln Type: Cross-Site Scripting

  • 5.6

    MEDIUM
    CVE-2025-13437

    When zx is invoked with --prefer-local=<path>, the CLI creates a symlink named ./node_modules pointing to <path>/node_modules. Due to a logic error in src/cli.ts (linkNodeModules / cleanup), the function returns the target path instead of the alias (symli... Read more

    Affected Products :
    • Published: Nov. 20, 2025
    • Modified: Nov. 21, 2025
    • Vuln Type: Misconfiguration

  • 8.7

    HIGH
    CVE-2025-62730

    SOPlanning is vulnerable to Privilege Escalation in user management tab. Users with user_manage_team role are allowed to modify permissions of users. However, they are able to assign administrative permissions to any user including themselves. This allow ... Read more

    Affected Products : soplanning
    • Published: Nov. 20, 2025
    • Modified: Nov. 21, 2025
    • Vuln Type: Authorization

  • 5.1

    MEDIUM
    CVE-2025-62731

    SOPlanning is vulnerable to Stored XSS in /feries endpoint. Malicious attacker with access to public holidays feature is able to inject arbitrary HTML and JS into website, which will be rendered/executed when opening multiple pages. By default only admini... Read more

    Affected Products : soplanning
    • Published: Nov. 20, 2025
    • Modified: Nov. 21, 2025
    • Vuln Type: Cross-Site Scripting

  • 5.1

    MEDIUM
    CVE-2025-62729

    SOPlanning is vulnerable to Stored XSS in /status endpoint. Malicious attacker with an account can inject arbitrary HTML and JS into website, which will be rendered/executed when opening multiple pages. This issue was fixed in version 1.55.... Read more

    Affected Products : soplanning
    • Published: Nov. 20, 2025
    • Modified: Nov. 21, 2025
    • Vuln Type: Cross-Site Scripting

  • 1.9

    LOW
    CVE-2025-13425

    A bug in the filesystem traversal fallback path causes fs/diriterate/diriterate.go:Next() to overindex an empty slice when ReadDir returns nil for an empty directory, resulting in a panic (index out of range) and an application crash (denial of service) i... Read more

    Affected Products : osv-scalibr
    • Published: Nov. 20, 2025
    • Modified: Nov. 21, 2025
    • Vuln Type: Denial of Service

  • 6.4

    MEDIUM
    CVE-2025-11808

    The Shortcode for Google Street View plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'streetview' shortcode in all versions up to, and including, 0.5.7. This is due to insufficient input sanitization and output escaping on the 'i... Read more

    Affected Products :
    • Published: Nov. 21, 2025
    • Modified: Nov. 21, 2025
    • Vuln Type: Cross-Site Scripting

  • 7.2

    HIGH
    CVE-2025-12160

    The Simple User Registration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wpr_admin_msg' parameter in all versions up to, and including, 6.6 due to insufficient input sanitization and output escaping. This makes it possible f... Read more

    Affected Products : simple_user_registration
    • Published: Nov. 21, 2025
    • Modified: Nov. 21, 2025
    • Vuln Type: Cross-Site Scripting

  • 0.0

    NA
    CVE-2025-66096

    Missing Authorization vulnerability in Imtiaz Rayhan Table Block by Tableberg tableberg allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Table Block by Tableberg: from n/a through <= 0.6.9.... Read more

    Affected Products :
    • Published: Nov. 21, 2025
    • Modified: Nov. 21, 2025
    • Vuln Type: Authorization

  • 6.4

    MEDIUM
    CVE-2025-11799

    The Affiliate AI Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'asin' shortcode attribute in the affiai_img shortcode in all versions up to, and including, 1.0.1. This is due to insufficient input sanitization and output e... Read more

    Affected Products :
    • Published: Nov. 21, 2025
    • Modified: Nov. 21, 2025
    • Vuln Type: Cross-Site Scripting

  • 4.4

    MEDIUM
    CVE-2025-12066

    The WP Delete Post Copies plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 6.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated... Read more

    Affected Products :
    • Published: Nov. 21, 2025
    • Modified: Nov. 21, 2025
    • Vuln Type: Cross-Site Scripting

  • 0.0

    NA
    CVE-2025-66114

    Missing Authorization vulnerability in theme funda Show Variations as Single Products Woocommerce woo-show-single-variations-shop-category allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Show Variations as Single... Read more

    Affected Products :
    • Published: Nov. 21, 2025
    • Modified: Nov. 21, 2025
    • Vuln Type: Authorization

  • 4.3

    MEDIUM
    CVE-2025-10039

    The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.2.9 via the 'eh_crm_ticket_single_view_client' due to missing validation on a user contr... Read more

    Affected Products : wsdesk
    • Published: Nov. 21, 2025
    • Modified: Nov. 21, 2025
    • Vuln Type: Authorization

  • 0.0

    NA
    CVE-2025-66106

    Missing Authorization vulnerability in Essential Plugin Featured Post Creative featured-post-creative allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Featured Post Creative: from n/a through <= 1.5.5.... Read more

    Affected Products :
    • Published: Nov. 21, 2025
    • Modified: Nov. 21, 2025
    • Vuln Type: Authorization

  • 8.7

    HIGH
    CVE-2025-62294

    SOPlanning is vulnerable to Predictable Generation of Password Recovery Token. Due to weak mechanism of generating recovery tokens, a malicious attacker is able to brute-force all possible values and takeover any account in reasonable amount of time. Thi... Read more

    Affected Products : soplanning
    • Published: Nov. 20, 2025
    • Modified: Nov. 21, 2025
    • Vuln Type: Authentication

  • 0.0

    NA
    CVE-2025-66092

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bqworks Accordion Slider accordion-slider allows Stored XSS.This issue affects Accordion Slider: from n/a through <= 1.9.13.... Read more

    Affected Products :
    • Published: Nov. 21, 2025
    • Modified: Nov. 21, 2025
    • Vuln Type: Cross-Site Scripting

  • 6.4

    MEDIUM
    CVE-2025-11801

    The AudioTube plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'caption' shortcode attribute of the 'audiotube' shortcode in all versions up to, and including, 0.0.3. This is due to insufficient input sanitization and output escap... Read more

    Affected Products :
    • Published: Nov. 21, 2025
    • Modified: Nov. 21, 2025
    • Vuln Type: Cross-Site Scripting

  • 6.4

    MEDIUM
    CVE-2025-11800

    The Surbma | MiniCRM Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' shortcode attribute of the 'minicrm' shortcode in all versions up to, and including, 2.0. This is due to insufficient input sanitization and outp... Read more

    Affected Products :
    • Published: Nov. 21, 2025
    • Modified: Nov. 21, 2025
    • Vuln Type: Cross-Site Scripting
Showing 20 of 3690 Results